560SampleReportV3.0
Transcript of 560SampleReportV3.0
8/10/2019 560SampleReportV3.0
http://slidepdf.com/reader/full/560samplereportv30 1/18
Sensitive: The information in this document is not to be disclosed outside of
Target Widgets, Inc. or PenTest, Inc. without prior written consent of both
organizations.
Example Pen Test Report ©2008 SANS and Ed Skoudis
Internet Infrastructure
Network Penetration Test
Final Report
Prepared for Target Widgets, Inc.
By PenTest, Inc.
September 15, 2009
8/10/2019 560SampleReportV3.0
http://slidepdf.com/reader/full/560samplereportv30 2/18
Sensitive: The information in this document is not to be disclosed outside of
Target Widgets, Inc. or PenTest, Inc. without prior written consent of both
organizations.
Example Pen Test Report ©2008 SANS and Ed Skoudis
2
Table of Contents1. Executive Summary.....................................................................................................3
2. Introduction .................................................................................................................53. Test Methodology........................................................................................................7
4. Findings .....................................................................................................................124.1 High-Risk Findings............................................................................................13
4.1.1 VNC Offers Remote Control of Mail Server Across Internet ...................134.1.2 Guessable Password Allows for Remote Compromise of Mail Server.....13
4.1.3 Unpatched Windows Machine on DMZ Allows Exfiltration of PII .........144.1.4 High-Risk: Unencrypted PII on DMZ Server............................................15
4.2 Medium-Risk Findings ......................................................................................164.2.1 OpenSSH Flaw Could Allow Unauthorized Access on Linux Server ......16
4.2.2 Excessive Open Ports Indicates Lax Firewall Rules and Hardening.........165. Conclusions ...................................................................................................................18
8/10/2019 560SampleReportV3.0
http://slidepdf.com/reader/full/560samplereportv30 3/18
Sensitive: The information in this document is not to be disclosed outside of
Target Widgets, Inc. or PenTest, Inc. without prior written consent of both
organizations.
Example Pen Test Report ©2008 SANS and Ed Skoudis
3
1. Executive SummaryThis report presents the results of a penetration test of Target Widget’s Internet
Infrastructure performed by PenTest, Inc. from March 8, 2009 to March 22, 2009. Thetest’s scope focused on Internet-accessible systems on the 192.168.14/24 and
192.168.18/24 subnets, which make up the primary DMZ for Target Widgets. The
project was focused on finding and exploiting server-side vulnerabilities in a network penetration test to determine Target Widget’s business risk profile associated withInternet-based attacks. Client-side testing, web application manipulation, denial of
service, and social engineering were not included in the scope of the project.
As described in more detail in the technical findings in the rest of this report, PenTest,Inc. discovered significant security vulnerabilities in the target infrastructure that pose a
high-risk to Target Widget’s business. In particular, PenTest’s personnel were able to gain access to Personally Identifiable Information (PII) of over 4 million Target Widgets
customers. If a malicious attacker were to exploit these flaws to steal this sensitiveinformation, Target Widgets could face brand tarnishment, government investigations,
and possibly fines, with significant impact to its business. Compared to other companiesin the widget industry, the security of Target Widget’s Internet DMZ was found to be
relatively weak.
To address these issues, PenTest, Inc. recommends that Target Widgets employ a seriesof short-term tactics and long-term strategies to improve security. From a short-term
perspective, PenTest, Inc., recommends that Target Widgets conduct the followingactions within one week or less to prevent malicious attackers from compromising the
PII:• Block inbound Virtual Network Computing (VNC) access to DMZ systems from
the Internet, managing them from the local console or internal network until
Target Widgets selects and deploys a suitably secure remote management tool.• Change the easy-to-guess passwords for all accounts, especially any accounts
used for system administration, on machine 192.168.14.21, the mail server on the
DMZ. Investigate this machine to determine if malicious attackers compromisedthe system prior to the PenTest, Inc. project.
• Update patches of all software on the database server at 192.168.14.57 to lowerthe chance that it can be compromised. Target Widgets personnel should likewiseanalyze this machine to determine whether it has been compromised by attackers.
• Apply an encryption solution to protect all PII stored on sensitive machines,especially on the database server at 192.168.14.57.
While these recommendations will deal with the immediate issues discovered during thetest, PenTest, Inc. recommends that Target Widgets’ management institute significantchanges in the overall security practices of the DMZ environment to ensure that these or
related issues do not recur. From a longer-term perspective, PenTest, Inc. recommendsthat Target Widgets apply the following recommendations over the next thirty-to-sixty
days:
8/10/2019 560SampleReportV3.0
http://slidepdf.com/reader/full/560samplereportv30 4/18
Sensitive: The information in this document is not to be disclosed outside of
Target Widgets, Inc. or PenTest, Inc. without prior written consent of both
organizations.
Example Pen Test Report ©2008 SANS and Ed Skoudis
4
• Select and deploy a secure solution for remote management of servers across theInternet that relies on strong encryption, such as Secure Shell (SSH), IPsec Virtual
Private Networks (VPNs), or Secure Sockets Layer (SSL). The solution shouldalso utilize strong authentication, such as one-time passwords, time-based
authentication tokens, or challenge/response tokens.•
Deploy and configure password-complexity enforcement tools on all DMZsystems to prevent users from choosing easy-to-guess passwords. Once suchtools are deployed, require users to change their passwords.
• Update the patching policy and process of all servers on the DMZ to ensure thatcritical patches are tested and deployed within 24 hours of release by the vendor.
• Devise and apply updated hardening documentation for secure configuration ofeach machine on the DMZ, focusing specifically on disabling unneeded services.
• Review the filtering rules on border firewalls and routers, reconfiguring the
devices to close all unneeded ports and services on both an inbound and outbound
basis. Allow only those ports with a clear, well-documented business need.• Determine whether there is a business need to store PII information on the DMZ
at all. If such access is not required, redesign the associated applications andnetwork so that PII information can be stored on an internal protected network.
• Verify the use of encryption for sensitive data throughout the enterprise, ensuringspecifically that PII is properly encrypted both in transit across the network and at
rest in databases and file systems.
Any questions regarding this report or the penetration test it describes should be directedto John Smith, the technical lead of the project from PenTest, Inc., at
[email protected] or 555-555-5555.
8/10/2019 560SampleReportV3.0
http://slidepdf.com/reader/full/560samplereportv30 5/18
Sensitive: The information in this document is not to be disclosed outside of
Target Widgets, Inc. or PenTest, Inc. without prior written consent of both
organizations.
Example Pen Test Report ©2008 SANS and Ed Skoudis
5
2. Introduction
At the request of Target Widgets’ security team, PenTest, Inc. performed a network
penetration test of the company’s Internet infrastructure from March 8 to March 22,2009. The goal of the test was to determine whether an attacker on the Internet could
gain access to Personally Identifiable Information associated with Target Widgetscustomers. The scope of the project focused on network penetration testing of accessible
services across the Internet. Client-side testing, web application manipulation, denial ofservice, and social engineering were not included in the scope of the project
As described in more detail in the technical findings in the rest of this report, PenTest,
Inc. discovered significant security vulnerabilities in the target infrastructure that pose ahigh-risk to Target Widget’s business. In particular, PenTest’s personnel were able to
gain access to Personally Identifiable Information (PII) of over 4 million Target Widgetscustomers. If a malicious attacker were to exploit these flaws to steal this sensitive
information, Target Widgets could face brand tarnishment, government investigations,
and possibly fines, with significant impact to its business. Compared to other companiesin the widget industry, the security of Target Widget’s Internet DMZ was found to berelatively weak.
The testing was performed under the supervision of Target Widgets employee Jane Doe
with all tests originating from PenTest Inc.’s security labs located in Big City. Table 1lists the personnel that participated in the test and analysis activities.
Table 1: Personnel Involved in the Project
Name Company Role in Project Contact Information
John Smith PenTest, Inc. Tester and testtechnical lead
[email protected] or 555-555-5555
Sally Johnson PenTest, Inc. Tester [email protected] or 555-555-5556
Jane Doe Target Widgets,Inc.
Projectcoordinator
[email protected] or555-555-1111
Sam Brown Target Widgets,Inc.
DMZ systemadministrator
[email protected] or555-555-2222
The test focused on the Target Widgets Internet Infrastructure and its related systems,
including servers, firewalls, routers, and other equipment located on the 192.168.14/24and 192.168.18/24 subnets. At the outset of this “crystal box” test, Target Widgets
personnel provided this network address information, along with a network diagramindicating the overall topology of the network and the operating system type of each
target machine. PenTest personnel found that the network diagram accurately reflectedthe composition of the target network. No deviations were found between the diagram
8/10/2019 560SampleReportV3.0
http://slidepdf.com/reader/full/560samplereportv30 6/18
Sensitive: The information in this document is not to be disclosed outside of
Target Widgets, Inc. or PenTest, Inc. without prior written consent of both
organizations.
Example Pen Test Report ©2008 SANS and Ed Skoudis
6
and the tested target infrastructure. According to Target Widgets personnel, all systemsin the target range were owned and operated by Target Widgets; the scope of the test
included no systems belonging to other organizations.
Manual testing occurred during normal business hours, from 9:00 AM until 6:00 PM
Eastern Time throughout the duration of the project. Lengthy scans and automated password guessing tests were conducted around the clock, as allowed for in the project’sRules of Engagement. Each day through the project, Target Widgets employees and
PenTest consultants conducted a debriefing conference call, during which the teamdiscussed the progress and findings for that day.
8/10/2019 560SampleReportV3.0
http://slidepdf.com/reader/full/560samplereportv30 7/18
Sensitive: The information in this document is not to be disclosed outside of
Target Widgets, Inc. or PenTest, Inc. without prior written consent of both
organizations.
Example Pen Test Report ©2008 SANS and Ed Skoudis
7
3. Test MethodologyPenTest, Inc. applied our comprehensive network penetration testing methodology to
conduct this project. This methodology is broken into three phases, associated withmapping the network, scanning for vulnerabilities, and exploiting vulnerabilities to
determine the business risk they pose to the enterprise. Each of these phases, as well asPenTest’s discoveries and analysis during each phase, are described in this section.
Phase 1: Map and Identify Active Devices.
The goal of this phase of the project is to discover systems in the target environment,essentially mapping the attack surface for the remaining phases. Even in a crystal box
test (in which target system personnel provide the testers with a diagram and inventory oftarget machines), PenTest, Inc. still applies this phase to verify the information provided
at the outset of the test. To discover potential target machines, PenTest, Inc. appliesnumerous methods, including:
• Whois Lookups: PenTest personnel look up the domain names provided in the
project scope to identify the DNS server as well as contact information for targetsystem personnel. We verified these whois registration records with TargetWidgets personnel, who confirmed that the information in them was accurate and
up to date.• DNS Zone Transfer: PenTest personnel connect to the primary, secondary, and
tertiary name servers of the target organization and attempt a zone transfer for alldomains included in the scope of work. For this test, we were not successful in
performing a zone transfer, because Target Widgets has likely blocked suchaccess from arbitrary hosts on the Internet.
• DNS Reverse Record Lookup: PenTest personnel use automated tools to send aseries of DNS queries looking for reverse records (PTR record type) that map IP
addresses to domain names for all Internet-accessible addresses included in thescope of work.
• Search Engine Queries: PenTest personnel send a series of requests to theGoogle, Yahoo, and Microsoft LiveSearch search engines, looking for evidence
of target machines that fall within the scope of the project.• ICMP sweeps: PenTest personnel send a series of Internet Control Message
Protocol (ICMP) packets to each address in the target network range to determinewhich addresses respond. Our tools send ICMP Echo (ICMP type 8), AddressMask (ICMP Type 17), and Timestamp (ICMP Type 13) request messages,
looking for a response.• TCP sweeps: PenTest sends a series of TCP packets to widely used ports to
determine if a response comes back from target addresses. In particular, we sendSYN packets as well as ACK packets to TCP ports 21, 22, 23, 25, 80, 135, 139,
443, and 445, looking for either SYN-ACK or RESET responses coming backthat may indicate a target machine using the given address.
8/10/2019 560SampleReportV3.0
http://slidepdf.com/reader/full/560samplereportv30 8/18
Sensitive: The information in this document is not to be disclosed outside of
Target Widgets, Inc. or PenTest, Inc. without prior written consent of both
organizations.
Example Pen Test Report ©2008 SANS and Ed Skoudis
8
• UDP sweeps: PenTest also sends UDP packets into the target network on UDP port 53, looking for either UDP or ICMP Port Unreachable responses back, each
indicative of a potential target machine.
After discovering each target, PenTest personnel then applied operating system
fingerprinting, using all of the applicable tests in the second generation fingerprintingtechniques of Nmap as well as Xprobe2 to identify the operating system type. It isimportant to note that host discovery is an iterative process applied throughout the
project. When PenTest personnel compromise a target system in Phase 3 (described below), we verify with target system personnel that the newly compromised machine can
be used to apply sweeping activities to find additional targets within the scope of the project. Of particular interest, PenTest personnel identified the db8 system, which held
sensitive PII, by launching a ping sweep using ICMP Echo messages from thecompromised mail server (mail.targetwidgets.tgt) on the DMZ.
Applying each of these methods, PenTest personnel developed the list of target machines
shown in Table 2.
Table 2: Target Systems Identified During Network Mapping Activities
IP Address Machine Name Operating
System Type
How Discovered
192.168.14.21 mail.targetwidgets.tgt Windows 2003
Server
ICMP Echo Request
192.168.14.22 staging.targetwidgets.tgt Windows 2003
Server
Reverse DNS
lookup (PTR record)
192.168.14.57 db8 (Because there was
no record in DNS forthis machine, this name
information wasgathered from nbtstat
running on mail serverand compromise of the
host itself with thehostname command).
Windows 2000
Server
Discovered via ping
sweep (ICMP Echorequest) from
compromised mailserver
192.168.14.21.
192.168.18.89 appsrv.targetwidgets.tgt Linux kernel 2.6 Google searches forsite:targetwidgets.tgt
192.168.18.3 www.targetwidgets.tgt Linux kernel 2.6 Google searches for
site:targetwidgets.tgt
192.168.18.9 www2.targetwidgets.tgt Linux kernel 2.6 TCP SYN sweep for
port 80
192.168.18.14 No name Windows 2003
Server
TCP SYN sweep for
port 445
192.168.18.18 No name Linux kernel 2.6 UDP sweeps for
8/10/2019 560SampleReportV3.0
http://slidepdf.com/reader/full/560samplereportv30 9/18
Sensitive: The information in this document is not to be disclosed outside of
Target Widgets, Inc. or PenTest, Inc. without prior written consent of both
organizations.
Example Pen Test Report ©2008 SANS and Ed Skoudis
9
port 53
192.168.18.53 dns.targetwidgets.tgt Windows 2003Server
Whois lookup
Phase 2: Scan Active Devices for Vulnerabilities.In this phase of the test, PenTest personnel began with a port scan of all discovered target
machines, scanning TCP ports 0 through 65,535 and UDP ports 1-1024. As agreed to byTarget Widgets personnel, our TCP scans focused on half-open SYN scans using Nmap’s
“normal” timing options. For the most part, we found that Target Widgets firewalls blocked the vast majority of inbound traffic, allowing in only traffic associated with the
business purpose of a given host. There were four systems that were an exception to thisgenerally good filtering, as noted in Finding 4.2.2.
After determining the open ports on the target systems, PenTest personnel proceeded to
perform version scanning of the machines using Nmap’s version scanning functionality
as well as The Hacker’s Choice (THC) Amap. These tools gather information about theversion of the protocol spoken by each listening port and/or the version of softwarelistening on each port. We found no unusual versions or protocols on the target
machines. PenTest personnel did find that one of the target machines allowed inboundVirtual Network Computing (VNC) access from the Internet on TCP port 5900, requiring
password-based authentication using the latest VNC protocol version spoken by VNC4.X for remote GUI control of this mail server at 192.168.14.21. This issue is discussed
in more detail in Finding 4.1.1.
We next proceeded to conduct a vulnerability scan using Tenable’s Nessus scanner with acommercial feed of plug-in updates from March 5, 2009. PenTest personnel tested all of
the latest plug-ins in our labs before running them against Target Widgets systems toensure the plug-ins performed as expected. The initial Nessus scan against the target
machines also found the VNC service listening on the mail server. Nessus also found anolder version of OpenSSH that is subject to authentication bypass on the Linux
application server at 192.168.18.89, although we were unable to successfully exploit thisissue, as described in detail in Finding 4.2.1. And, finally, Nessus found an unusually
large number of listening ports on four servers on the 192.168.18 subnet, indicative of laxfirewall rules and a lack of system hardening to disable or filter unneeded services. In
short, Nessus verified many of our Nmap and Amap findings.
Phase 3: Exploit Vulnerabilities.
In this phase of the test, PenTest personnel attempted to exploit the issues identified inPhase 2 to gain access to target machines and determine the business risks associatedwith any discovered vulnerabilities. We began by building a custom dictionary for
password guessing by crawling Target Widget’s own website at www.targetwidgets.tgt tocreate a unique list of words. To accomplish the password guessing attack within the
two-week time span of the project, we trimmed down the list of words to just over 1,000
8/10/2019 560SampleReportV3.0
http://slidepdf.com/reader/full/560samplereportv30 10/18
Sensitive: The information in this document is not to be disclosed outside of
Target Widgets, Inc. or PenTest, Inc. without prior written consent of both
organizations.
Example Pen Test Report ©2008 SANS and Ed Skoudis
10
entries. We then configured THC Hydra tool to conduct the password guesses against theVNC service running on the mail server at 192.168.14.21.
While the password guessing attack ran, PenTest personnel attempted to exploit the
OpenSSH authentication bypass vulnerability manually using publicly available exploit
code against the target system. All of our attempts at OpenSSH exploitation failed, because the exploit requires the attacker to first gain access to the public key of a user onthe machine to bypass authentication. Even though successful exploitation was
impossible, Target Widgets personnel should still upgrade this potentially vulnerableversion of OpenSSH to a more recent version that does not have this flaw.
The VNC password-guessing attack had ran for 40 consecutive hours (just under two
days) when it successfully guessed a password on the mail server machine using a blankaccount name. The password was a simple variation of words gathered from the Target
Widgets web page, with some nominal substitutions of numbers in place of some letters.Using this password, PenTest personnel gained control of the GUI for this Windows
machine. The GUI console of the system was left logged on, giving us complete controlof the desktop of the machine and full access to all information stored on the system.
Because this system sends and receives all e-mail to and from Target Widgets personnel,we could have intercepted or changed any clear-text Target Widgets e-mail entering or
leaving the company. While certainly a cause for concern, this interception of e-mailtraffic via VNC control of the mail server was not the most significant risk posed by the
security weaknesses we identified.
From our vantage point controlling the GUI of the mail server, PenTest personnelinvoked a command prompt on this Windows 2003 box. After checking with target
system personnel, we loaded the fgdump password-dumping tool onto this machine sothat we could extract its password hashes for cracking using the traditional John the
Ripper password cracker and the Rainbow-Tables-based Ophcrack tool. While wecracked the administrator password for this machine, we found that this password could
not be used to access any other systems within the scope of the project.
However, we used the command shell running on the mail server system accessed viaVNC to conduct a ping sweep of the DMZ using only built-in Windows tools (a FOR
loop in a simple script on Windows pinged all of the available addresses on the DMZ).This sweep revealed another system not discovered by our automated scans earlier in the
test. We discovered a target server at 192.168.14.57. Using the nbtstat command onWindows, we determined that this server was named db8, a database server on the DMZ.
With permission from target system personnel who carefully monitored the target
machines while our test occurred, we loaded Netcat on the target Windows mail server at192.168.14.21. We used Netcat to create a relay that would forward any inbound traffic
from the mail server on TCP port 445 to the newly discovered db8 server on the DMZ.We then proceeded to attempt a series of exploits against the db8 server through the relay
8/10/2019 560SampleReportV3.0
http://slidepdf.com/reader/full/560samplereportv30 11/18
Sensitive: The information in this document is not to be disclosed outside of
Target Widgets, Inc. or PenTest, Inc. without prior written consent of both
organizations.
Example Pen Test Report ©2008 SANS and Ed Skoudis
11
running on the mail server using exploits from the Metasploit framework. PenTest personnel found that the exploit associated with MS06-040, a vulnerability in the
Windows server service, could successfully exploit the target machine to gain shellaccess of the database server with local SYSTEM privileges. We used the exploit to
make a reverse shell connection from this database server back to our machines at
PenTest labs.
With this SYSTEM-level shell on the database machine, PenTest personnel began
analyzing the file system to determine whether any sensitive information was located onthe machine. This database system included a clear-text file called transaction_log.db
that contained the account name, credit card number, expiration date, mailing address,and other sensitive information for over 4 million Target Widgets customers. Based on
the rules of engagement and our standard procedures for conducting penetration tests,PenTest personnel neither looked at nor downloaded all of the contents of this file.
Instead, we merely sampled the first few lines of the file to verify the information that itcontained (specifically, that it included one account entry per line). We then counted the
number of lines in the file using the command:C:\> type transaction_log.db | find /c /v ""
The output of this command indicated that 4,039,123 individual accounts were in the file,each containing sensitive PII for Target Widgets customers, as shown in Figure 1.
Figure 1: Output of Commands on Database Server with PII
At the end of the project, we removed the software we installed on the target machine
(Netcat). This was the only change made to target machines, and it was rolled back putting the machines in their original state. No other changes were made to target
systems during the course of the project
8/10/2019 560SampleReportV3.0
http://slidepdf.com/reader/full/560samplereportv30 12/18
Sensitive: The information in this document is not to be disclosed outside of
Target Widgets, Inc. or PenTest, Inc. without prior written consent of both
organizations.
Example Pen Test Report ©2008 SANS and Ed Skoudis
12
4. FindingsThroughout the remainder of this document, each vulnerability or risk identified has been
labeled as a Finding and categorized as a High-Risk, Medium-Risk , or Low-Risk , whichare defined as:
•
High-Risk findings are critical. These vulnerabilities should be addressed promptly because they may pose an immediate danger to the security of the
networks, systems, or data.• Medium-Risk findings should be addressed in a timely manner.
• Low-Risk findings should be noted and implemented at a later date, but may not pose a real threat to the network and connected systems at this time.
Each category of finding (High, Medium, and Low) is included as its own subsection.
No low-risk findings were identified during this project.
8/10/2019 560SampleReportV3.0
http://slidepdf.com/reader/full/560samplereportv30 13/18
Sensitive: The information in this document is not to be disclosed outside of
Target Widgets, Inc. or PenTest, Inc. without prior written consent of both
organizations.
Example Pen Test Report ©2008 SANS and Ed Skoudis
13
4.1 High-Risk Findings
4.1.1 High-Risk: VNC Offers Remote Control of Mail Server AcrossInternet
Vulnerable Target: Mail Server at 192.168.14.21
Level of Risk: High
Likelihood of Exploitation: Medium
Description:
PenTest, Inc. discovered that VNC, the remote GUI control tool, was running on TargetWidget’s mail server, accessible across the Internet via TCP port 5900. VNC provides
remote control capabilities and is a convenient method by which an employee canremotely access a system’s GUI across the network. However, its convenience also
assists malicious individuals in their quest to gain remote access to a system. If VNC isconfigured with an easily guessed password, an attacker can gain complete control of the
system. Furthermore, historically, various VNC implementations, even when configuredwith a difficult-to-guess password, have had significant security issues, such as buffer
overflow flaws and authentication bypass vulnerabilities. Although the VNC servicelistening on this mail server system appeared to be fully patched, there remains the
possibility of newly discovered flaws in VNC allowing attackers to compromise systems.
Recommendations:If VNC is not needed for administration, it should be disabled and removed from the
system immediately. Furthermore, Target Widgets personnel should configure the
network firewall to block inbound VNC access on TCP 5900 and any alternative ports thegiven VNC server may be configured to use.
If there is a business need for managing the system via its GUI across the Internet,PenTest personnel recommend that Target Widgets deploy a strongly authenticated,
encrypted form of GUI access. For example, either VNC or Windows Terminal Servicesaccess can be configured to be carried across a secure, encrypted tunnel implemented via
Secure Shell (SSH) port forwarding or IPsec Virtual Private Networks (VPNs) betweenthe management system and the destination server. Alternatively, Target Widgets personnel could consider secure management tools that rely on HTTP over SSL (HTTPS)
to encrypt such interactions.
4.1.2 High-Risk: Guessable Password Allows for RemoteCompromise of Mail Server
Vulnerable Target: Mail Server at 192.168.14.21
Level of Risk: High
8/10/2019 560SampleReportV3.0
http://slidepdf.com/reader/full/560samplereportv30 14/18
Sensitive: The information in this document is not to be disclosed outside of
Target Widgets, Inc. or PenTest, Inc. without prior written consent of both
organizations.
Example Pen Test Report ©2008 SANS and Ed Skoudis
14
Likelihood of Exploitation: High
Description:
PenTest, Inc. used an automated password-guessing tool to determine a password for
VNC access to the mail server. The password for this access was a trivial variation ofwords retrieved from the Target Widgets website, guessed by our tool within 40 hours ofrun time. To authenticate to the system via VNC, no user account name was required.
Using this password, PenTest personnel were able to gain complete administrativecontrol of the machine.
Recommendation:
If VNC access is required, PenTest personnel strongly recommends that Target Widgets personnel configure it to require both a username and password for authentication, not
just a password. Then, at a bare minimum, select difficult-to-guess passwords that areneither dictionary terms nor associated in anyway with the Target Widgets company. If
resources are available, we further recommend that Target Widgets personnel deploy anauthentication scheme for such encrypted system administration traffic that does not rely
exclusively on static password, and instead utilizes one-time passwords, time-basedauthentication tokens (such as RSA’s SecureID tokens), or challenge-response tokens.
4.1.3 High-Risk: Unpatched Windows Machine on DMZ AllowsExfiltration of Sensitive PII
Vulnerable Target: Database Server at 192.168.14.57
Level of Risk: High
Likelihood of Exploitation: High
Description: This machine, running the Windows 2000 Server operating system, lacks a critical patch
from Microsoft known as MS06-040. This vulnerability in the Windows Server serviceallows attackers to use free, widely available exploit code to compromise the system and
gain complete administrative control of the machine, running commands with localSYSTEM privileges. Although the db8 server on the DMZ cannot be directly accessed
from the Internet, it can be reached by compromising other hosts on the DMZ. PenTest personnel targeted this vulnerability via a flaw in the mail server machine to gain
command-shell access on this db8 system. With this command-shell access, we were
able to search through the file system and find clear-text records containing PII of TargetWidgets customers.
Recommendation:Microsoft has released a set of patches for Windows 2000, XP, and 2003 machines that
address this flaw, described at http://www.microsoft.com/technet/security/bulletin/ms06-
8/10/2019 560SampleReportV3.0
http://slidepdf.com/reader/full/560samplereportv30 15/18
Sensitive: The information in this document is not to be disclosed outside of
Target Widgets, Inc. or PenTest, Inc. without prior written consent of both
organizations.
Example Pen Test Report ©2008 SANS and Ed Skoudis
15
040.mspx. PenTest recommends that Target Widgets deploy this patch immediately tothe DMZ system. In our experience, this patch has caused very few problems on
production environments, although Target Widgets personnel should quickly evaluate itin a test environment before rolling it into production.
Furthermore, we strongly recommend that Target Widgets personnel review the patchingand audit processes for all systems on the DMZ to determine why this patch wasrepeatedly missed in updates and audits. The patch and audit processes should be
carefully scrutinized and improved to avoid such issues in the future.
4.1.4 High-Risk: Unencrypted PII on DMZ Server
Vulnerable Target: Database Server at 192.168.14.57
Level of Risk: High
Likelihood of Exploitation: Medium
Description:
The db8 server includes a file called transaction_log.db that contains over 4 millionrecords with PII of Target Widgets customers without any encryption at all. Any user
accessing the file system with administrator or local SYSTEM privileges can read thefile, gaining access to very sensitive information.
Recommendation:
PenTest recommends that, at a minimum, Target Widgets personnel deploy an encryptionsolution to protect the PII information on this server. Numerous encryption products are
available on a free or commercial basis, including TrueCrypt, Gnu Privacy Guard, and
Pretty Good Privacy. Going further, PenTest personnel recommend that Target Widgetsinvestigate whether there is a business need for storing and accessing PII on the DMZ. Inmany environments, such information can be stored on internal protected networks,
usually a more secure approach than keeping the data on perimeter networks. If there isno defined business need for storing the PII on the DMZ, PenTest recommends that the
applications and network be redesigned to allow for internal storage of this sensitive data.
8/10/2019 560SampleReportV3.0
http://slidepdf.com/reader/full/560samplereportv30 16/18
Sensitive: The information in this document is not to be disclosed outside of
Target Widgets, Inc. or PenTest, Inc. without prior written consent of both
organizations.
Example Pen Test Report ©2008 SANS and Ed Skoudis
16
4.2 Medium-Risk Findings
4.2.1 Medium-Risk: OpenSSH Flaw Could Allow Unauthorized Accesswithout Authentication on Linux App Server
Vulnerable Target: Linux app server on DMZ at 192.168.18.89
Level of Risk: Medium
Likelihood of Exploitation: Low
Description:
The Linux application server is running OpenSSH 2.3.1, an older version of the SecureShell tool. If an attacker can gain access to the public key of a valid SSH user on the
system, he or she could bypass normal authentication mechanisms on the box, whichshould require the user’s private key to login to the system. Based on a flaw in older
versions of OpenSSH, the private key of a user is not required. Thus, any attacker,system administrator, or user who has access to the SSH public key of a user on this
machine can gain access to the system. However, without a public of a user, PenTest,Inc. was not able to exploit this issue successfully.
Recommendation:
PenTest recommends that Target Widgets personnel upgrade the OpenSSH installationon this machine to a more recent version of the software. Furthermore, we recommend
that PenTest personnel check other servers on the DMZ and elsewhere in the enterprise tomake sure that they are running the latest versions of OpenSSH software.
4.2.2 Medium-Risk: Excessive Numbers of Open Ports Indicates LaxFirewall Rules and System Hardening
Vulnerable Target:
192.168.18.3: TCP 21,22,23,25,443192.168.18.9: TCP 80,90,6000 and UDP 53,110,500
192.168.18.14: TCP 135,139,445 and UDP 137,445192.168.18.18: TCP 32772,32773,32774
Level of Risk: Medium
Likelihood of Exploitation: Low
Description:
On the 192.168.18 subnet, PenTest, Inc. discovered many systems with a large number of ports open. Although we were not able to exploit these systems via these open ports, the
relatively high number of ports accessible on the machines is a likely sign of two
8/10/2019 560SampleReportV3.0
http://slidepdf.com/reader/full/560samplereportv30 17/18
Sensitive: The information in this document is not to be disclosed outside of
Target Widgets, Inc. or PenTest, Inc. without prior written consent of both
organizations.
Example Pen Test Report ©2008 SANS and Ed Skoudis
17
conditions that should be addressed. First, the target networks appear to have rather laxfirewall rules, allowing in numerous different ports for which there is likely not a
business need. Secondly, the large number of accessible ports, especially thoseassociated with Windows Server Message Block (TCP 135, 139, and 445), X Windows
(TCP 6000), and various RPC services (TCP 32772 and up), are a possible indication that
the target machines have not been hardened thoroughly.
Recommendation:
PenTest, Inc. recommends that Target Widgets disable services on these ports without adefined business need. Hardening guides freely available at the Center for Internet
Security (www.cisecurity.org) describe how to harden many underlying operatingsystems and applications. We also recommend a review of the configuration of the
firewall(s) protecting these machines. Target Widgets personnel should configure thefirewalls to block any services that do not have a specific, documented business need.
8/10/2019 560SampleReportV3.0
http://slidepdf.com/reader/full/560samplereportv30 18/18
Sensitive: The information in this document is not to be disclosed outside of
Target Widgets, Inc. or PenTest, Inc. without prior written consent of both
organizations.
Example Pen Test Report ©2008 SANS and Ed Skoudis
18
5. ConclusionsThe penetration test of Target Widgets’ Internet infrastructure performed by PenTest,
Inc., in March 2009 identified several high-risk security issues. The goal of the test wasto determine whether an attacker on the Internet could gain access to Personally
Identifiable Information associated with Target Widgets customers.
PenTest’s personnel were indeed able to gain access to Personally IdentifiableInformation (PII) of over 4 million Target Widgets customers exploiting flaws associated
with unneeded services, guessable passwords, unpatched systems, and lack of encryptionfor sensitive data. If a malicious attacker were to exploit these flaws to steal this
sensitive information, Target Widget’s could face brand tarnishment, governmentinvestigations, and possibly fines, with significant impact to its business. Compared to
other companies in the widget industry, the security of Target Widget’s Internet DMZwas found to be relatively weak.
Any questions regarding this report or the penetration test it describes should be directedto John Smith, the technical lead of the project from PenTest, Inc., at [email protected] or 555-555-5555.